top of page
  • Admin

Virobot Ransomware Is A Multi-Tasking Menace

Published: June 19, 2020 on our newsletter Security Fraud News & Alerts Newsletter.

If ransomware is a cybercriminal’s friend, the new ransomware called Virobot, is their best friend – ever. Discovered just last month, Virobot is a one-stop-shop malware that uses ransomware, keylogging, and botnets – a triple threat. Traditionally, ransomware attacks enter through opened phishing emails and clicked attachments. It then it freezes computers and encrypts their data, rendering them useless. From there, a ransom payable in bitcoin is demanded, promising to provide the decryption key that restores data and devices. Depending on the target and how vital access to their data is – think hospitals and law enforcement – a decision to pay the ransom is made. Depending on how well an organization backs up its data, the organization can get back up and running on its own – so some ransoms go unpaid. From what’s been seen so far, Virobot ransomware may have its victims wishing for the “old school” days of simple ransomware attacks.

Although Virobot is still developing, it appears to have no affiliation with other hackers or the ransomware behind previous attacks. As of its recent debut, detecting it is a challenge. Virobot enters systems via email phishing with an attached file containing the virus. Once the file is opened, a remote command and control (C&C) server sends directives to all infected devices. From there, the second component of Virobot, keylogging, is added. Keylogging steals all strokes made on a keyboard, including email contacts, passwords, credit card numbers – every bit of information typed on a keyboard. The third Virobot component unleashes spam-sending botnets to the infected devices. By using the remote C&C, hackers direct botnets to create and send massive volumes of infected spam emails. In this case, stolen email contact lists from Microsoft Outlook were used. The more phishing emails sent with the virus, the greater the odds they will be opened. When that happens, the Virobot ransomware gets even more pervasive – increasing the chances of a ransom paid.

For those who manage networks, remember to always perform data backups on a regular basis. What "regular" means, completely depends on the individual organization and how important it is to keep that current. For healthcare, that could mean hourly. When deciding where to store those, be sure to keep them separate from the network too. There are versions of ransomware that actually target backups to make it more likely you have to pay the ransom.

When all the damage is said and done by Virobot’s three henchmen assistants, a simple ransom note appears on the infected computer screens. In this case, a ransom note written in French, demanded $520 in bitcoin to return systems to functioning. Surely, it’s not a king’s ransom, but hackers intentionally make the amount reasonable enough to be paid. Hackers make their real money by volume – the more ransoms getting paid, the more bitcoin bank they make. It remains to be seen how and if Virobot will develop in more depth and detail. If malware history is any indication, Virobot – or other forms of it – may be wreaking havoc for some time to come.

In the meantime, be sure to install and keep updated all anti-virus software. And if patches are released for any of your software products, apply them immediately. These patch vulnerabilities and prevent from letting the criminals in through them. Remember that most malware makes its way onto your devices via phishing. So watch for those email messages and texts too. If you are not 100% certain a link or attachment is safe, don’t click on it.

Want to schedule a conversation? Please email us at

bottom of page